CKV_GCP_6 outdated check

[GurayCetin]

CKV_GCP_6 checks for [settings/[0]/ip_configuration/[0]/require_ssl] but there is the newer version [settings/[0]/ip_configuration/[0]/ssl_mode].

So existing CKV_GCP_6 policy is misleading and outdated. Any chance to add a policy for ssl_mode?

See also https://cloud.google.com/sql/docs/mysql/configure-ssl-instance#enforcing-ssl

[Harmelodic]

This is the check that does it: https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py

I'm not sure on bridgecrew's stance on making these sorts of changes, but my two cents would be:

Ideally (in my opinion), the same check would be used but the underlying code would be changed to just check the provider version and then check either ssl_mode or require_ssl is set correctly, since the documented check policy of...

Ensure all Cloud SQL database instance requires all incoming connections to use SSL

...is the same, whether you use the old require_ssl attribute or the new ssl_mode attribute.

Alternatively, creating a new check to require for ssl_mode to be TRUSTED_CLIENT_CERTIFICATE_REQUIRED, and deprecating CKV_GCP_6, but that leaves an empty gap in list of checks.

[jbrule]

The policy was modified to observe ssl_mode if present. Require_ssl still acceptable.

[Harmelodic]

Installed and ran checkov@3.2.254 on Terraform code:

• ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED" results in a fail on CKV_GCP_6.
• ssl_mode = "ENCRYPTED_ONLY" results in a fail on CKV_GCP_6.
• ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" results in all checks passed.

As expected 👍 Thanks!